Many current malware distribution techniques involve using email, spam, social networking applications, instant messaging, social engineering and other means to lead users to malicious distribution sites. In other words, users are lured to a malicious Uniform Address Locator (URL) or Internet Protocol (IP) address, from which the user is infected with malware. These distribution techniques are being used with high success rates to expose massive numbers of people to malware infection.
To successfully take effective countermeasures against the distribution of malware, it is important for a maker of antimalware systems to capture samples of new malware quickly, as well as to identify the distribution and infection techniques that new malware uses. For example, by capturing a sample of a new malware instantiation, a signature identifying the malware can be created and distributed. An antimalware system can subsequently use this signature to detect the malware on infected computers, and to clean the detected infections. By understanding how the malware is distributed and what techniques it uses to infect user's computers (e.g., drive by, deliberate download, social engineering, etc.), an antimalware system can take more effective countermeasures.
One problem encountered in capturing malware samples and attack vectors quickly is that malicious software distribution sources (e.g., malicious websites, URLs, IP addresses) have a limited life span. Distributors of malware frequently change distribution sites, in order to stay one step ahead of detection. When conventional means are used to collect malware samples, a malicious site may no longer be active by the time it is identified and an attempt is made to capture malware therefrom. This prevents the timely capture and analysis of samples from the site. Additionally, in order to analyze the exploit techniques being used by malware being distributed from a malicious site, it is important that the malicious site be up and running. The delay in identifying a malicious site and capturing and analyzing malware being distributed therefrom using conventional techniques is often longer than the malicious distribution site's life span.
It would be desirable to address these issues.